Comments on: Firewall and Speed

Question: Firewall and Speed

filmgeek — Tue, 02 Mar 2004 14:24:14 -0800

Geek Question: I took a look at my router's firewall. I'm getting a number of DDos attacks. Now, the firewall is acting all nice and blocking it...but, I'm sure this causing a slow down in my surfing/net use, etc.

Any ideas on how to make it stop?

By: malphigian

malphigian — Tue, 02 Mar 2004 14:59:54 -0800

How do you know they are dDos attacks and not just regular old worms or other exploit scripts scanning for open ports and/or unpatched servers?

If you were actually under a distributed denial of service attack by more than a few machines, you can bet you wouldn't be getting to AskMe. What are you seeing in your logs?

If these are just attempts to exploit vulnerabilities in web servers, don't worry about it, they hit everything. It's just the background noise of the internet. Pat your firewall and give it a cookie for a job well done.

By: zsazsa

zsazsa — Tue, 02 Mar 2004 16:50:23 -0800

You can't make it stop, unless somehow you got your ISP to firewall you on their end. Or you went around to everyone's computer in the world and upgraded them all with the latest security patches.

By: dejah420

dejah420 — Tue, 02 Mar 2004 20:00:40 -0800

Agreed. I get about 6 Slammer attempts an hour...and I don't even have sql on this machine. The amount of port scanning and worm propagation is just insane...but I understand your frustration, as my firewalls are working overtime too.

By: filmgeek

filmgeek — Tue, 02 Mar 2004 21:27:32 -0800

Followup:

There isn't a way for me to trace back and either totally block the offending IP addresses or notify their ISP that their machines are infected?

By: Danelope

Danelope — Tue, 02 Mar 2004 22:11:59 -0800

There isn't a way for me to trace back and either totally block the offending IP addresses or notify their ISP that their machines are infected?

There is, but it's quite impractical.

1. Grab the IP address of the offending machine from your logs.

2. Plug the IP into ARIN whois to determine who owns the netblock. Sometimes, ARIN will provide an appropriate e-mail address (i.e. abuse@) in the domain record. Sometimes, you'll have to access the netblock owner's site to locate an appropriate way to contact them.

3. Draft a polite message explaining that one of their customers is either willingly or unknowingly launching an attack on your machine(s). You absolutely must include the following: Your IP address, the IP address of the machine attacking you, a sample of the malicious traffic from your log files, and the date/time the attack occurred.

4. If they're a large national or international company, you likely won't receive a reply beyond their standard autoresponder. If they're a smaller local ISP, you will likely hear from an actual human being, and they may request further information.

5. If, after a week, you still see traffic coming from the reported machine, you can attempt to send another e-mail, again politely explaining that you are still receiving attacks from this IP address. Hopefully, the problem will be resolved. Sometimes, particularly if the ISP is based in Asia, you'll be dismissed and no amount of complaint-filing will help.

Now, here's the fun part: repeat this procedure for every one of the thousands of IP addresses you will undoubtedly log over a given period of time. Unless you have a very small group of machines attacking you, or you tend toward masochism, this will grow tedious rather quickly.